I don't think anything about the NPM supply chain attacks has to do with it being centralised. If anything, it made it easier to heal as NPM could centrally remove the bad packages.